package com.abc.tacos.config;

import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

/**
 * @author Kar
 * @create 2022-04-20 上午10:42
 */
// @Configuration
// @EnableWebSecurity
public class SecurityConfig_LDAP extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests() //允许基于HttpServletRequest使用限制访问
                .antMatchers("/", "/home","/h2-console/**")
                    .permitAll() //不需要身份认证
                .antMatchers("/Asuka")
                    //.authenticated() // 其他路径必须验证身份
                    // .access("hasRole('USER')") // 验证角色信息
                    .access("hasAnyRole('USER','MANAGERS')")
                    // .hasAnyRole("USER","MANAGERS") // 验证角色信息（多个）
                .and()
                    .formLogin() // 使用表单登陆
                        // .loginPage("/login") // 自定义登陆页面
                        .permitAll()
                .and()
                    .logout()   // 拦截"/logout"请求, 清除session数据
                        .logoutSuccessUrl("/")
                 // Make H2-Console non-secured; for debug purposes
                // tag::csrfIgnore[]
                .and()
                    .csrf()
                        .ignoringAntMatchers("/h2-console/**")
                // end::csrfIgnore[]
                // Allow pages to be loaded in frames from the same origin; needed for H2-Console
                // tag::frameOptionsSameOrigin[]
                .and()
                    .headers()
                        .frameOptions()
                            .sameOrigin();
                // end::frameOptionsSameOrigin[]        
                ;
    }

    // 3）基于LDAP的用户存储
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.ldapAuthentication()
                // 设置用户单元
                .userSearchBase("ou=people")
                .userSearchFilter("(uid={0})")
                // 设置组单元
                .groupSearchBase("ou=groups")
                .groupSearchFilter("(member={0})")
                // 设置密码匹配方式
                .passwordCompare()
                // 若不设置加密方式，默认为明文比对。
                .passwordEncoder(new BCryptPasswordEncoder())
                .passwordAttribute("userPassword")
                .and()
                // 设置根后缀
                .contextSource()
                    // Optional root suffix for the embedded LDAP server.
                    // Default is "dc=springframework,dc=org"
                    .root("dc=taco,dc=com")
                    //.ldif("classpath:schema.ldif") // 默认为 classpath:schema.ldif

                // .userDnPatterns("uid={0},ou=people")
                // .groupSearchBase("ou=groups")
                // .contextSource()
                // // .root("dc=springframework,dc=org")
                // .and()
                // .passwordCompare()
                // .passwordEncoder(new BCryptPasswordEncoder())
                // .passwordAttribute("userPassword")
        ;
    }
}